Vulnerability: Stored Cross-Site Scripting (XSS)
Location: Receipt generation (Web and Email)
Source: Link.custom_receipt field (controllable by product sellers).
Sink:
/app/app/presenters/receipt_presenter/item_info.rb#custom_receipt_note retrieves purchase.link.custom_receipt and processes it with simple_format and Rinku.auto_link. Neither sanitizes HTML./app/app/views/customer_mailer/receipt/_item.html.erb:23 renders this processed value using <%= raw item_props[:custom_receipt_note] %>.- This partial is included in the receipt email generated by
CustomerMailer.receipt.
- The same email content is rendered directly to the browser via
render html: message.html_part.body.raw_source.html_safe in /app/app/controllers/purchases_controller.rb:343 (the receipt action).
Exploitation:
- A seller creates or edits a product.
- In the "Custom Receipt" field for the product, the seller enters an XSS payload, e.g.,
<img src=x onerror=alert('XSS-Receipt')>.
- A user purchases this product.
- When the user views the receipt (either the web version at
/purchases/:id/receipt or the email receipt), the malicious script executes.
Impact: Allows sellers to execute arbitrary JavaScript in the context of users viewing receipts for their products. This can lead to session hijacking, phishing, or other attacks against buyers.
Recommendation: Sanitize the custom_receipt content using a robust HTML sanitizer (like Rails' sanitize helper with appropriate configuration) before passing it to simple_format or Rinku.auto_link and before rendering it with raw or html_safe. Ensure only safe HTML tags and attributes are allowed.
Vulnerability: Stored Cross-Site Scripting (XSS)
Location: Receipt generation (Web and Email)
Source:
Link.custom_receiptfield (controllable by product sellers).Sink:
/app/app/presenters/receipt_presenter/item_info.rb#custom_receipt_noteretrievespurchase.link.custom_receiptand processes it withsimple_formatandRinku.auto_link. Neither sanitizes HTML./app/app/views/customer_mailer/receipt/_item.html.erb:23renders this processed value using<%= raw item_props[:custom_receipt_note] %>.CustomerMailer.receipt.render html: message.html_part.body.raw_source.html_safein/app/app/controllers/purchases_controller.rb:343(thereceiptaction).Exploitation:
<img src=x onerror=alert('XSS-Receipt')>./purchases/:id/receiptor the email receipt), the malicious script executes.Impact: Allows sellers to execute arbitrary JavaScript in the context of users viewing receipts for their products. This can lead to session hijacking, phishing, or other attacks against buyers.
Recommendation: Sanitize the
custom_receiptcontent using a robust HTML sanitizer (like Rails'sanitizehelper with appropriate configuration) before passing it tosimple_formatorRinku.auto_linkand before rendering it withraworhtml_safe. Ensure only safe HTML tags and attributes are allowed.